1 / 29

XEngine: A Fast and Scalable XACML Policy Evaluation Engine

XEngine: A Fast and Scalable XACML Policy Evaluation Engine. Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with Alex X. Liu, JeeHyun Hwang, Tao Xie. Roadmap. Introduction and Motivation Three Key Ideas XACML Policy Numericalization

anne
Download Presentation

XEngine: A Fast and Scalable XACML Policy Evaluation Engine

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. XEngine: A Fast and ScalableXACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with Alex X. Liu, JeeHyun Hwang, Tao Xie

  2. Roadmap • Introduction and Motivation • Three Key Ideas • XACML Policy Numericalization • XACML Policy Normalization • Correctness • Experimental Results • Conclusion XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  3. Introduction Access control mechanisms ? ? ? Action (execute, read, …) Subject (processes, machines, …) Resources (programs, file, …) XACML (de facto standard) eXtensible Access Control Markup Language • XML language • Powerful evaluation logic • Extensible and flexible XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  4. Motivation • Check whether a request satisfies a policy or not and return the decision. • Performance is critical. • Cost per request millions of requests per minute (amazon) • Size and complexity processing time XACML Policy XACML Request Decision XACML Policy Evaluation Engine XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  5. Prior work • No prior work focuses on optimizing performance of XACML policy evaluation • Most work of XACML focuses on XACML policy analysis and verification • Sun PDP (policy decision point) is an implementation of standard XACML evaluation engine • We proposed XEngine • Orders of magnitude faster than Sun PDP • More rules  more orders of magnitude • Hundreds of rules, twoordersof magnitude faster than Sun PDP • Thousands of rules, fourordersof magnitude faster than Sun PDP XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  6. Roadmap • Introduction and Motivation • Example and Three Key Ideas • XACML Policy Numericalization • XACML Policy Normalization • Correctness • Experimental Results • Conclusion XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  7. Example <PolicySetPolicySetId="n" PolicyCombiningAlgId="Permit-Overrides"> <Target/> <Policy PolicyId="n1" RuleCombinationAlgId="Deny-Overrides"> <Target/> <Rule RuleId=“1" Effect="Deny"> <Target> <Subjects><Subject> Student </Subject> <Subject> Secretary </Subject></Subjects> <Resources><Resource> Grades </Resource></Resources> <Actions><Action> Change </Action></Actions> </Target> </Rule> <Rule RuleId=“2" Effect="Permit"> <Target> <Subjects><Subject> Professor </Subject> <Subject> Lecturer </Subject> <Subject> Secretary </Subject></Subjects> <Resources><Resource> Grades </Resource> <Resource> Records </Resource></Resources> <Actions><Action> Change </Action> <Action> Read </Action></Actions> </Target> </Rule> </Policy> <Policy PolicyId="n2" RuleCombinationAlgId="First-Applicable"> <Target/> <Rule RuleId=“3" Effect="Permit"> <Target> <Subjects><Subject> Student </Subject></Subjects> <Resources><Resource> Records </Resource></Resources> <Actions><Action> Change </Action> <Action> Read </Action></Actions> </Target> </Rule> </Policy> </PolicySet> Rule 1: A student or secretary can not change grades. Deny Decision Permit XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  8. Three Key Ideas • XACML policy numericalization • String values Numerical values • XACML policy normalization • Recusive structure Flat structure • Multiplecomplexconflictresolution mechanisms • oneconflictresolution mechanism • XACML policy evaluation • Use a treestructure to efficiently process requests. XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  9. Roadmap • Introduction and Motivation • Example and Three Key Ideas • XACML Policy Numericalization • XACML Policy Normalization • Correctness • Experimental Results • Conclusion XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  10. XACML Policy Numericalization • Map each distinctvalueof the attribute to a distinctinteger XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  11. Roadmap • Introduction and Motivation • Example and Three Key Ideas • XACML Policy Numericalization • XACML Policy Normalization • Correctness • Experimental Results • Conclusion XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  12. XACML Policy Normalization: Challenges • Four rule/policy combining algorithms • First-Applicable • Only-One-Applicable • Permit-Overrides • Deny-Overrides • Recursive structure • Multi-valued request • First-Applicable Flatstructure Decompose to multiple single-valued requests XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  13. Recursive Structure • Model an XACML policy as a tree • Store combiningalgorithm and target of the policy or policy set Permit-Overrides Deny-Overrides R1→ deny R2→ permit First-Applicable R3→ deny R1 R2 R3 XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  14. Scattered Predicates t1 : [1, 6] Target t1 Λ t3 : [0, 4] Λ Target t3 tR3: [3, 5] R1 R2 R3 R3 [3, 4] • Replace target of R3 by t1Λt3ΛtR3 XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  15. Complex XACML Functions • Predicate Λ f()→permit • Predicate→(iff() thenpermit) XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  16. Multi-valued Rules/Requests • Multi-valued Rules Subject: A person who is both a professor and a student” professor&student  distinctvalue • Multi-valued Requests • A person who is • both a professor and a student • wants to assign grades • A professor wants… • A student wants … • {Ri1, Ri2, …} • {Rj1, Rj2, …} • Decision XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  17. Complex Rule/Policy Combining Alg • First-Applicable • Concatenate rule sequences of normalized policies. • Only-One-Applicable • Check whether two rules from two sequences are overlapped. • Permit-Overrides or Deny-Overrides • Use policydecisiondiagram (PDD) to convert all-match rules to first-match rules. S [0, 0] [2, 3] [1, 1] R R R [0, 0] [0, 1] [0, 0] [1, 1] A A A A [0, 0] [0, 0] [1, 1] [0, 1] [0, 1] [R1]d [R1]d, [R2]p [R2]p [R2]p [R2]p XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  18. Complex Rule/Policy Combining Alg • A person who is • both a professor and a student • wants to assign grades Q1: • A professor wants… • A student wants… Q2 : V1 × deny permit V3 V2 deny deny permit Professor  [ [R1]deny, [R4]permit ]permit Student  [ [R3]deny, [R2]permit ]permit Q1  R1, R4 Q2  R2, R3 XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  19. XACML Policy Evaluation (1/2) • The Decision Diagram Approach • A final sequence of first-match rules A PDD. S [0, 0] [2, 3] [1, 1] R R R [1, 1] [0, 1] [0, 0] [1, 1] [0, 0] A A A A A [0, 0] [1, 1] [0, 1] [0, 1] [0, 0] [1, 1] [0, 1] [R-1]na [R2]p [R2]p [R1]d [R3]p [R2]p [[R1]d, [R2]p] d XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  20. XACML Policy Evaluation (2/2) • The Forwarding Table Approach • d-dimensional PDD dforwardingtables A request T1 (110) T2 T3 XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  21. Roadmap • Introduction and Motivation • Example and Three Key Ideas • XACML Policy Numericalization • XACML Policy Normalization • Correctness • Experimental Results • Conclusion XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  22. Correctness • We proved the correctness of XEngine • Lemmas, Theorems • Experimental results are the same as Sun PDP XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  23. System Overview XACML Policy Evaluation Engine Policy Numericalization & Normalization Numericalization Table First-mach Range Rules Decision Diagrams Forwarding Tables XACML Request Decision Request Numericalization Structure Tree + XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  24. Roadmap • Introduction and Motivation • Example and Three Key Ideas • XACML Policy Numericalization • XACML Policy Normalization • Correctness • Experimental Results • Conclusion XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  25. Experimental Results (1/3) • Preprocessing time of XEngine • Only 6 seconds for an synthetic XACML policy with 4000 rules XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  26. Experimental Results (2/3) • For real-life XACML policies (100,000 requests) • Forwarding table approach is 117 times faster than Sun PDP • PDD approach is 75 times faster than Sun PDP (Log scale) XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  27. Experimental Results (3/3) • For synthetic XACML policies(100,000 requests) • Under 400, 2000 and 4000 rules • Forwarding table is 3594, 18643, 34408 times faster than Sun PDP. • PDD approach is 1405, 6210, 10873 times faster than Sun PDP. • Performance difference grows almost linearly with the number of rules. (Log scale) XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  28. Concluding Remarks • We presented a series of algorithms to convert an XACML policy to a decision diagram (or forwarding tables) • We proposed a series of algorithms to process requests. • XEngine is effective on both real-life and synthetic XACML policies • It is ordersofmagnitude faster than the widely deployed Sun PDP XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

  29. Questions? XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie

More Related